xfs
[Top] [All Lists]

Re: [PATCH] xfs: fix buffer use after free on IO error

To: Brian Foster <bfoster@xxxxxxxxxx>
Subject: Re: [PATCH] xfs: fix buffer use after free on IO error
From: Christoph Hellwig <hch@xxxxxxxxxxxxx>
Date: Tue, 25 Mar 2014 06:17:05 -0700
Cc: Eric Sandeen <sandeen@xxxxxxxxxx>, xfs-oss <xfs@xxxxxxxxxxx>
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <20140325125754.GA18691@xxxxxxxxxxxxxxx>
References: <532CFA12.4040104@xxxxxxxxxx> <20140325125754.GA18691@xxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.21 (2010-09-15)
> On Fri, Mar 21, 2014 at 09:48:50PM -0500, Eric Sandeen wrote:
> > +   /*
> > +    * If _xfs_buf_ioapply failed, we'll get back here with
> > +    * only the reference we took above.  _xfs_buf_ioend will
> > +    * drop it to zero, so we'd better not queue it for later,
> > +    * or we'll free it before it's done.
> > +    */
> > +   _xfs_buf_ioend(bp, bp->b_error ? 0 : 1);
> >  
> 
> Out of curiosity, is there any major reason we don't use 0 here
> unconditionally? Are we worried about I/O completing before we have a
> chance to decrement the reference?

I think this should unconditionally avoid the schedule, and while we're
at it we should kill _xfs_buf_ioend and opencode it here and at the
other callsite.

Also atomic_dec_and_test really just returns true/false - there should
ne no need for the explicit == 1 in the conditional.

<Prev in Thread] Current Thread [Next in Thread>